"HashiCorp Vault Vulnerability Could Lead To RCE, Patch Today!"

Oxeye found a new security flaw, tracked as CVE-2023-0620, in the HashiCorp Vault Project, an identity-based secrets and encryption management system used to control access to Application Programming Interfaced (API) encryption keys, passwords, and certificates. The vulnerability is a SQL injection flaw that could result in Remote Code Execution (RCE). This vulnerability was patched in Vault versions 1.13.1, 1.12.5, and 1.11.9 after being reported by Oxeye. HashiCorp Vault offers encryption services for modern microservices-based applications that typically require many secrets. These secrets are protected by authentication and authorization mechanisms using HashiCorp's UI, CLI, or HTTP API when using Vault. Researchers from Oxeye discovered this new vulnerability during a routine deployment scan. They discovered that it could be used by attackers to access sensitive data, modify or eliminate it, and execute malicious code on the target system.

Help Net Security reports "HashiCorp Vault Vulnerability Could Lead To RCE, Patch Today!"

Submitted by Anonymous on Wed, 04/12/2023 - 15:23